Implementing Wildcard SSL with WHM/cPanel

SSL is a frustrating process. A normal certificate allows you to secure only a single specific subdomain, such as secure.example.com. That certificate would then not work for www.example.com.

Wildcard SSL is more expensive, but allows you to secure anything underneath your domain, so you could secure both www.example.com and secure.example.com.

cPanel is one of the most popular hosting control panels available, and it doesn't play well with Wildcard SSL. I've read many tutorials, and every one I read had stupid ideas, including using mod_rewrite to hack the url into thinking your subdomain content is not inside your public_html directory. Some tutorials tell you to use WHM to install the certificate multiple times, which also doesn't work.

This assumes you've done SSL, and are experienced with your server, but are having trouble with the wildcard stuff.

First of all, your cPanel account really should have a dedicated IP address assigned to it. Ask your hosting provider to do this for you.

Next, generate your CSR in WHM using the "Generate an SSL Certificate and Signing Request" option. The "host to make cert for" option should be *.example.com.

When you get your certificate back, use the "Install an SSL Certificate and Setup the Domain" option. Paste the certificate sent to you in the first box, and WHM should fetch what you need. Change the domian to example.com (remove the *.) and set the IP address to your dedicated IP. If WHM does not automatically find your CA Bundle and private key, you should provide those as well. Submit.

Your example.com will now be accessible via HTTPS. Awesome. Now you can go into cPanel and add some subdomains to your account. For this example, let's say I've added forums.example.com as a subdomain. When you do this, Apache's httpd.conf file gets a new virtual host config for the insecure version of forums.example.com. If you visit the secure version in your browser, the web root will be for www.example.com instead! Oh no! The issue is httpd.conf needs a listing for the secure version.

You're beyond how cPanel/WHM can help you. Dive into your shell as root. Navigate to /var/cpanel/userdata/<cpanel account name>/ and you'll find config files for each of your subdomains. These files are what cPanel uses to dynamically build your httpd.conf file. Remember, you absolutely do not want to edit httpd.conf manually. Things will work temporarily, but bad things will happen in the future.

This is actually quite simple. Clone your example.com_SSL file into forums.example.com_SSL. Now edit forums.example.com_SSL. You'll need to modify the documentroot, serveralias, and servername accordingly. documentroot should be obvious, and in our example serveralias would be www.forums.example.com and servername would be forums.example.com.

Now just execute /scripts/rebuildhttpdconf and restart Apache. You'll get a warning about a duplicate SSL virtualhost. That's okay, it works fine. Visit https://forums.example.com/ and you'll get the correct document root now. And the SSL will work. And cPanel officially knows of your SSL subdomain, and won't blow it away in the future.